I did a course on computer security and vunerabilities a while back and threw the whole range of hacker attack tools at Bubba to see what I could find. In fact Bubba was very secure and much more secure then some well known websites out there.

I do see alot of attempts by hacking bots to request system files, Bubba of course does not supply ! I guess it is one of those attempts you are seeing here....

I don't use 'Logwatch' so I don't know what it reports, but unless you have given out your root password then I think it's unlikely you have been hacked. Unless you have altered apache then I cannot see /etc/passwd (or it's shadow) being accesible. If they have your root password why would they need your passwd file ???

There is some truth in using 'difficult' passwords as it is always possible to do a DES compare between an encrytped dictionary and a /etc/passwd file, I have done it myself and'am amazed how many users still use 'nouns' as their passwords; including numbers in a password always helps.

So in short, I don't think you've been hacked; unless you've invited it. Change your root password, just in case....

Bubba is no more hackable than any other server connected to the internet, less so in fact as it as less open ports to attack......

I did some further tests with Bubba while offline from my main network and discovered the following:

There are two perl scripts used by the main Bubba code: print.pl which manages printing and backend.pl which handles "All activities that require elevated privilges"

It seems that as Clive says, user_auth.php uses backend.pl to read the user list and hashed passwords from /etc/shadow so that it can manage logins. This makes perfect sense and I can't currently think of a better way to do this.

As far as I have been able to figure out so far, there is no way to nefariously access the God-mode features in backend.pl from web-admin - but that is not a cast-iron guarantee!

Now I know the full picture, the log message is fine - but you have to admit that it looks alarming when seen out of context!

What does disappoint me is that it was more than four days before a user was able to confirm that this is normal. Assuming that this is a normal, yet alarming, log message I am surprised that a simple answer was not quickly provided by someone with detailed knowledge of the product such as Johannes or Tor. Maybe I am repeating an earlier mistake of assuming that this is the best place to come for support (it is linked from the "Customer support area" of excito.com).